Swiss security firm Modzero said in a security advisory posted Thursday that an audio driver installed in several HP laptops contains a keylogger feature that records every keystroke entered into the computer into a log file.
The company has been shipping audio drivers with built-in keyloggers for at least 18 months, according to a Swiss security company.
Security reviews of modern Windows Active Domain infrastructures by the company discovered a keylogger in an audio driver package by Hewlett-Packard.
The keylogger’s presence in the HP laptops could not be misconstrued, according to the security firm.
“A keylogger is a piece of software for which the case of dual-use can rarely be claimed. This means there are very few situations where you would describe a keylogger that records all keystrokes as ‘well-intended’. A keylogger records when a key is pressed, when it is released, and whether any shift or special keys have been pressed. It is also recorded if, for example, a password is entered even if it is not displayed on the screen.”
The purpose of the software is to recognize whether a special key has been pressed or released. The developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive, the security firm said.
This type of debugging turns the audio driver effectively into a keylogging spyware. On the basis of meta-information of the files, this keylogger already existed on HP computers since at least Christmas 2015, said the security firm.
The company advised all HP computer users to check whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed.
“We recommend that you delete or rename the executable files so that no keystrokes are recorded anymore. However, the special function keys on the keyboards might no longer work as expected. If a C:\Users\Public\MicTray.log file exists on the hard-drive, it should also be deleted immediately, as it can contain a lot of sensitive information such as login-information and passwords.”